Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- /sbin/iptables -L -v
- Chain INPUT (policy DROP 2004 packets, 109K bytes)
- pkts bytes target prot opt in out source destination
- 2169 107K LOG tcp -- any any anywhere anywhere state INVALID LOG level warning prefix `FIREWALL:INVALID '
- 360K 37M LOG all -- any any anywhere anywhere LOG level warning prefix `FIREWALL:INPUT '
- 0 0 ACCEPT all -- lo any anywhere anywhere
- 360K 37M SERVICES all -- any any anywhere anywhere
- 192K 12M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
- 0 0 tcp -- any any anywhere anywhere tcp dpt:ssh state NEW recent: SET name: SSH side: source
- 0 0 DROP tcp -- any any anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 60 hit_count: 8 TTL Match name: SSH side: source
- 93 4092 DROP all -- any any anywhere anywhere state INVALID
- 0 0 DROP all -- any any 10.0.0.0/8 anywhere
- 0 0 DROP all -- any any link-local/16 anywhere
- 0 0 DROP all -- any any 172.16.0.0/12 anywhere
- 0 0 DROP all -- any any loopback/8 anywhere
- 0 0 DROP all -- any any base-address.mcast.net/4 anywhere
- 0 0 DROP all -- any any anywhere base-address.mcast.net/4
- 0 0 DROP all -- any any 240.0.0.0/5 anywhere
- 0 0 DROP all -- any any anywhere 240.0.0.0/5
- 0 0 DROP all -- any any 0.0.0.0/8 anywhere
- 0 0 DROP all -- any any anywhere 0.0.0.0/8
- 0 0 DROP all -- any any anywhere 239.255.255.0/24
- 0 0 DROP all -- any any anywhere 255.255.255.255
- 0 0 DROP icmp -- any any anywhere anywhere icmp address-mask-request
- 0 0 DROP icmp -- any any anywhere anywhere icmp timestamp-request
- 16 820 ACCEPT icmp -- any any anywhere anywhere icmp any limit: avg 1/sec burst 5
- 0 0 DROP all -- any any 41.191.226.74 anywhere
- 0 0 DROP all -- any any 41.191.226.74 anywhere
- 0 0 DROP all -- any any host138-23-static.57-88-b.business.telecomitalia.it anywhere
- 0 0 DROP all -- any any 222.186.8.1 anywhere
- 0 0 DROP all -- any any 211.151.97.90 anywhere
- 0 0 DROP all -- any any 211.151.97.90 anywhere
- 0 0 DROP all -- any any 194-70-73-109.rackcentre.redstation.net.uk anywhere
- 0 0 DROP all -- any any 81.209.165.73 anywhere
- Chain FORWARD (policy DROP 0 packets, 0 bytes)
- pkts bytes target prot opt in out source destination
- 0 0 TCPMSS tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
- 0 0 DROP all -- any any anywhere anywhere state INVALID
- Chain OUTPUT (policy ACCEPT 323K packets, 146M bytes)
- pkts bytes target prot opt in out source destination
- 1920 77624 DROP all -- any any anywhere anywhere state INVALID
- Chain SERVICES (1 references)
- pkts bytes target prot opt in out source destination
- 93714 14M ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
- 32000 2768K ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
- 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ftp
- 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:10000
- 0 0 ACCEPT tcp -- any any den.teliax.net anywhere tcp dpt:5060
- 65 49684 ACCEPT udp -- any any den.teliax.net anywhere udp dpt:5060
- 40552 8110K ACCEPT udp -- any any den.teliax.net anywhere udp dpts:10000:20000
- *************rules******************
- *filter
- #policies
- -P OUTPUT ACCEPT
- -P INPUT DROP
- -P FORWARD DROP
- -N SERVICES
- #logging
- -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
- -I INPUT 1 -p tcp -m state --state INVALID -j LOG --log-prefix "FIREWALL:INVALID "
- #allowed inputs
- -A INPUT --in-interface lo -j ACCEPT
- -A INPUT -j SERVICES
- #VoIP alternative, implement slowly
- #-A PRELUDE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
- #-A PRELUDE -m conntrack ! --ctstate NEW -j DROP -m comment --comment "Same as --ctstate INVALID."
- #allowed responses
- -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- #mtu fix
- -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
- #attack prevention
- -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
- -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
- -A INPUT -m state --state INVALID -j DROP
- -A FORWARD -m state --state INVALID -j DROP
- -A OUTPUT -m state --state INVALID -j DROP
- -A INPUT -s 10.0.0.0/8 -j DROP
- -A INPUT -s 169.254.0.0/16 -j DROP
- -A INPUT -s 172.16.0.0/12 -j DROP
- -A INPUT -s 127.0.0.0/8 -j DROP
- -A INPUT -s 224.0.0.0/4 -j DROP
- -A INPUT -d 224.0.0.0/4 -j DROP
- -A INPUT -s 240.0.0.0/5 -j DROP
- -A INPUT -d 240.0.0.0/5 -j DROP
- -A INPUT -s 0.0.0.0/8 -j DROP
- -A INPUT -d 0.0.0.0/8 -j DROP
- -A INPUT -d 239.255.255.0/24 -j DROP
- -A INPUT -d 255.255.255.255 -j DROP
- -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
- -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
- -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
- #-A INPUT -m state --state INVALID -j DROP
- #-A FORWARD -m state --state INVALID -j DROP
- #-A OUTPUT -m state --state INVALID -j DROP
- #-A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
- #-A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
- #-A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
- #-A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
- #-A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
- #-A INPUT -m recent --name portscan --remove
- #-A FORWARD -m recent --name portscan --remove
- #-A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
- #-A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
- #-A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:"
- #-A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP
- #block by ip
- -A INPUT -s 41.191.226.74 -j DROP
- -A INPUT -s 41.191.226.74 -j DROP
- -A INPUT -s 88.57.23.138 -j DROP
- -A INPUT -s 222.186.8.1 -j DROP
- -A INPUT -s 211.151.97.90 -j DROP
- -A INPUT -s 211.151.97.90 -j DROP
- -A INPUT -s 109.73.70.194 -j DROP
- -A INPUT -s 81.209.165.73 -j DROP
- #allow services
- -A SERVICES -p tcp --dport 80 -j ACCEPT
- -A SERVICES -p tcp --dport 22 -j ACCEPT
- -A SERVICES -p tcp --dport 21 -j ACCEPT
- -A SERVICES -p tcp --dport 10000 -j ACCEPT
- -A SERVICES -p tcp --dport 5060 -s 63.211.239.14 -j ACCEPT
- -A SERVICES -p udp --dport 5060 -s 63.211.239.14 -j ACCEPT
- -A SERVICES -p udp --dport 10000:20000 -s 63.211.239.14 -j ACCEPT
- COMMIT
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement